GitLab

Motivated by #18816 (moved): it looks like in networkstatus_check_consensus_signature() we return success if there are "enough" signature on the consensus we get. So we could cut out the cert fetching step in initial bootstrap for all new Tors, by having an "if there is no cached-cert file, use this string instead" step.

And this string would continue being good enough until quite a few of the authorities have rotated to a new cert.

Minor issue #1: Tor 0.2.7.6 has now been out for five months. I bet quite a few of the certs have rotated by now. So we should keep in mind that this feature in stable releases will decay over time (and maybe we want a new stable every 4-6 months or something anyway). A fancier option would be to use an external file, and then Tor Browser could just make an updated version of the file as part of its release process.

Minor issue #2 (closed): As the stables are decaying, does this feature open the user up to a partitioning attack? I think the answer might be "yes but a very minor one, so let's not worry about it."